Security Watch

Keeping Track of patches and hacks in the IT security world.

Researchers Find Code Execution Bug in Skype

Security researchers have found a serious security vulnerability that could result in PC hijack attacks against users of the wildly popular Skype voice chat tool.

The issue, described by Aviv Raff as a cross-zone scripting vulnerability, could allow hackers to use rigged video files to launch full code execution (PC takeover) attacks.

Earlier today, Raff demonstrated the attack scenario for me by rigging a video file and uploading it to Dailymotion's servers with several keywords. From Skype's Add Video to Chat feature, I ran a search query for "calc test" (keywords used in Raff's exploit) and here's what happened when I hit the search button:


Now, imagine a social engineering scenario in which popular keywords (Britney Spears, Paris Hilton, Lindsay Lohan) are used to lure video searchers to booby-trapped videos.

Raff explains:

"Skype uses Internet Explorer Web control within the application to render internal and external HTML pages. Examples for this pages are the "Send money via PayPal" dialog, or "Add video to chat" dialog....The more problematic issue here is that Skype runs the HTML pages in a not-locked Local Zone mode. This means that if it is possible to inject a script to any of those pages, it is possible to execute code on the user's machine."

Raff and I tested the exploit against the latest version of Skype, v3.6.0.244. Prior versions may also be affected.

Petko D. Petkov, a vulnerability researcher at GNUcitizen, said he believes there's a more sinister aspect to these Skype vulnerabilities:

"I noticed that parts of the Skype traffic go over unencrypted channel. After further investigation, I found out that the unencrypted packets are part of Skype's ads, which are pulled on several places, some of which end up within the unrestricted IE controller. With the help of tools like Airpwn or Karma, attackers can easily hijack [those] ads and replace them with malicious ones. Upon rendering, a malicious code will execute within unrestricted IE controller and as such will allow the bad guys in. This type of attack is very easy to pull and it requires almost zero preparation."

In the absence of a patch, Skype users should avoid using the Add Video to Chat feature. Petkov also warns against using Skype on any public Wi-Fi hotspots because of the man-in-the-middle attack vector.